mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2025-02-20 18:31:35 -05:00
typos fixes
Signed-off-by: samsepi0l <74207682+d4rklynk@users.noreply.github.com>
This commit is contained in:
samsepi0l
GitHub
parent
95cd94f8eb
commit
98df4dca7e
@ -1,17 +1,17 @@
|
|||||||
---
|
---
|
||||||
title: "Using Lokinet on Qubes OS"
|
title: "Using Lokinet on Qubes OS"
|
||||||
date: 2022-07-27
|
date: 2022-07-27
|
||||||
tags: ['Operating Systems', 'Qubes OS', 'Anonimity', 'Privacy']
|
tags: ['Operating Systems', 'Qubes OS', 'Anonymity', 'Privacy']
|
||||||
author: Tommy
|
author: Tommy
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
[Lokinet](https://lokinet.org) is an Internet overlay network utilizing onion routing to provide anonimity for its users, similar to Tor network. This post will provide a quick (and non exhaustive) list of its [pros](#advantages) and [cons](#disadvantages) from an end user perspective and go over how to set it up on Qubes OS.
|
[Lokinet](https://lokinet.org) is an Internet overlay network utilizing onion routing to provide anonymity for its users, similar to Tor network. This post will provide a quick (and non-exhaustive) list of its [pros](#advantages) and [cons](#disadvantages) from an end user perspective and go over how to set it up on Qubes OS.
|
||||||
|
|
||||||
## Advantages
|
## Advantages
|
||||||
|
|
||||||
- Provides anonimity by removing trust in a service provider (as opposed to a traditional VPN)
|
- Provides anonymity by removing trust in a service provider (as opposed to a traditional VPN)
|
||||||
- Better versatility than Tor by supporting any IP based protocols (Tor only supports TCP)
|
- Better versatility than Tor by supporting any IP based protocols (Tor only supports TCP)
|
||||||
- Generally faster speed than the Tor Network
|
- Generally faster speed than the Tor Network
|
||||||
|
|
||||||
@ -24,7 +24,7 @@ author: Tommy
|
|||||||
|
|
||||||
## Creating the TemplateVM
|
## Creating the TemplateVM
|
||||||
|
|
||||||
As mentioned [above](#disadvantages), the Lokinet client only works well with Debian-based distributions. This means that our template will have to be one of the Debian-based ones, and I would highly recommend that you convert the official Debian template by the Qubes OS team into a KickSecure template to use as a base. KickSecure reduces the attack surface of Debian with a substantial set of hardening configurations, and a nice feature to go with an anonimity network like Lokinet is [Boot Clock Randomization](https://www.kicksecure.com/wiki/Boot_Clock_Randomization) which helps defend against [time-based denonymization attacks(https://www.whonix.org/wiki/Time_Attacks). You will only need the `kicksecure-cli` meta package (`kicksecure-gui` is unnecessary), and experimental services like `proc-hidepid`, `hide-hardware-info` and `permission-hardening` work just fine with the Lokinet client. [Hardened Malloc](https://www.kicksecure.com/wiki/Hardened_Malloc) and [LKRG](https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG) do not cause any problem with Lokinet, either.
|
As mentioned [above](#disadvantages), the Lokinet client only works well with Debian-based distributions. This means that our template will have to be one of the Debian-based ones, and I would highly recommend that you convert the official Debian template by the Qubes OS team into a KickSecure template to use as a base. KickSecure reduces the attack surface of Debian with a substantial set of hardening configurations, and a nice feature to go with an anonymity network like Lokinet is [Boot Clock Randomization](https://www.kicksecure.com/wiki/Boot_Clock_Randomization) which helps defend against [time-based denonymization attacks(https://www.whonix.org/wiki/Time_Attacks). You will only need the `kicksecure-cli` meta package (`kicksecure-gui` is unnecessary), and experimental services like `proc-hidepid`, `hide-hardware-info` and `permission-hardening` work just fine with the Lokinet client. [Hardened Malloc](https://www.kicksecure.com/wiki/Hardened_Malloc) and [LKRG](https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG) do not cause any problem with Lokinet, either.
|
||||||
|
|
||||||
Since DNS with Lokinet does not work if it is installed inside of a ProxyVM, we will need to have Lokinet running inside the same AppVM as the applications you intend to run. This is less than ideal, as a compromised AppVM could reveal your IP address. Beyond that, accidental leaks can happen, too.
|
Since DNS with Lokinet does not work if it is installed inside of a ProxyVM, we will need to have Lokinet running inside the same AppVM as the applications you intend to run. This is less than ideal, as a compromised AppVM could reveal your IP address. Beyond that, accidental leaks can happen, too.
|
||||||
|
|
||||||
@ -69,6 +69,6 @@ Finally, enable the `lokinet` service:
|
|||||||
|
|
||||||
## Creating the AppVM
|
## Creating the AppVM
|
||||||
|
|
||||||
Just create the AppVM as usual and you would be good to go. There are a few things to keep in mind though:
|
Just create the AppVM as usual, and you would be good to go. There are a few things to keep in mind though:
|
||||||
- You should probably set networking to use `sys-firewall`. I have tested using my ProtonVPN ProxyVM for networking, and DNS was not working. Besides, it makes litle sense to attempt such setup anyways, unless you are worried about accidental leaks or a compromised AppVM.
|
- You should probably set networking to use `sys-firewall`. I have tested using my ProtonVPN ProxyVM for networking, and DNS was not working. Besides, it makes litle sense to attempt such setup anyways, unless you are worried about accidental leaks or a compromised AppVM.
|
||||||
- You should give the AppVM the `network-manager` service so that Lokinet can set up networking properly and get DNS working.
|
- You should give the AppVM the `network-manager` service so that Lokinet can set up networking properly and get DNS working.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user